SAP Security Notes February 2016 – Manufacturing Cybersecurity

SAP has released the monthly critical patch update for February 2016. This patch update closes 23 vulnerabilities in SAP products including 15 SAP Security Patch Day Notes, 1 update to a previous Security Note, 2 Support Package Notes released on this SAP patch day and 5 Notes released after the second Tuesday of the previous month and before the second Tuesday of this month.

13 of all closed Notes have a high priority rating. The highest CVSS score of the vulnerabilities is 7.5.

Most of the discovered vulnerabilities belong to SAP NetWeaver J2EE applications security. cybersecurity issues for Manufacturing industries were covered as part of this update.

The most common vulnerability type is Cross Site Scripting and Missing authorization check.

This month, four critical vulnerabilities found by ERPScan researchers Dmitry Chastuhin and Vahagn Vardanyan were closed.

Manufacturing Cybersecurity

One of the issues closed by ERPScan researchers deserves attention. We speak about a directory traversal vulnerability in SAP xMII (Manufacturing Integration and Intelligence). This solution plays a vital role in Cybersecurity of Manufacturing, Oil and Gas, Energy and Utility companies. SAP xMII provides a connection between shop-floor systems and enterprise business applications. This solution is designed to collect and aggregate plant and production information and then to display this data to management on nice dashboards based on ERP, BI, and other systems. Despite all the benefits, SAP xMII also may put enterprises at risk. Vulnerabilities affecting SAP MII can be used as a starting point of multi-stage attack aiming to get control over plant devices and manufacturing systems. ERPScan researchers demonstrated how to perform similar attack vectors against Oil&Gas companies at the recent BlackHat conference. The directory traversal vulnerability is another entry point for hackers to penetrate into plant floor and Operational Technology networks where ICS and SCADA systems are located.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities that were found by ERPScan researchers.

A Directory traversal vulnerability in SAP Manufacturing Integration and Intelligence (CVSS Base Score: 4.0). Update is available in SAP Security Note 2230978. An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

An SQL injection vulnerabilities in SAP UDDI (CVSS Base Score: 6.8). Update is available in SAP Security Note 2101079. An attacker can use an SQL injection vulnerability with specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable. In some cases, the attacker can access system data or execute OS commands.

An Information disclosure vulnerability in SAP Universal Worklist Configuration (CVSS Base Score: 5.0). Update is available in SAP Security Note 2256846. An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) that will help him to learn about a system and to plan other attacks.

A Cross-site scripting vulnerability in SAP Java Proxy Runtime (CVSS Base Score: 4.3). Update is available in SAP Security Note 2220571. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. More information about XSS vulnerabilities in SAP systems is available in ERPScan’s research.

Other critical issues closed by SAP Security Notes February 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

2273881: SAP TREX has an OS command execution vulnerability (CVSS Base Score: 7.5 ). An attacker can use OS command execution vulnerability to execute operating system commands without authorization. Executed commands will run with the same privileges as the service that executed them. The attacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system. Install this SAP Security Note to prevent risks.

2266565: SAP SAPSSOEXT has a Denial of service vulnerability (CVSS Base Score: 5.0). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which negatively influences on business processes, system downtime, and reputation. Install this SAP Security Note to prevent risks.

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Advisories for those SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.